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The security of a standard bi-directional "plug & play" quantum key distribution 
(QKD) system has been an open question for a long time. This is mainly because 
its source is equivalently controlled by an eavesdropper, which means the source is 
unknown and untrusted. Qualitative discussion on this subject has been made pre- 
viously. In this paper, we present the first quantitative security analysis on a general 
class of QKD protocols whose sources are unknown and untrusted. The securities of 
standard BB84 protocol, weak+vacuum decoy state protocol, and one-decoy decoy 
state protocol, with unknown and untrusted sources are rigorously proved. We derive 
rigorous lower bounds to the secure key generation rates of the above three protocols. 
Our numerical simulation results show that QKD with an untrusted source gives a 
key generation rate that is close to that with a trusted source. 



I. INTRODUCTION 

Quantum key distribution (QKD) , when combined with the one-time pad algo- 

rithm, provides unconditional communication security. The unconditional security is rigor- 
ously proved based on fundamental physics principles such as quantum no-cloning theorem 
and Heisenberg's uncertainty principle 4J rather than unproven computational complexity 
assumptions. The unconditional security of QKD has been proven even when implemented 
on imperfect practical set-ups with coherent laser sources and semi-realistic models 

Unconditional security of quantum cryptography is different from "absolute security". 
"Unconditional" in the security proof of QKD means that we are not making any assumption 
about Eve's technology, except that quantum mechanics is correct. However, we do have 
to make assumptions on Alice's and Bob's sides to ensure the security. The concept of 
unconditional security in QKD is discussed in details in Q]. 

Recently, the ideas of device-independent security proofs of QKD and security from 



causality constraints have been proposed ay , llOj , but a complete proof of unconditional 
security along those lines is still missing. Moreover, any such device-independent security 
proofs, even if successfully constructed in future, will not be applicable practical QKD sys- 
tems due to the well-known detection efficiency loophole. This loophole can be filled under 
the fair sampling assumption. Unfortunately, the fair sampling assumption can be invalid 
in practical QKD set-ups due to some imperfections, like the detection efficiency mismatch. 
Indeed, the detection efficiency mismatch opens a back door for several practical attacks, 
including the faked states attack 

even been experimentally demonstrated on a commercial QKD system jl4], thus highlighting 
the weakness of practical QKD systems. 

It is very important to develop security proofs with testable assumptions, and test the 
assumptions both theoretically and experimentally. For example, the assumption of phase 
randomization is often made in security proofs of practical set-ups. However, the phases 
of signals are not naturally randomized in practice. Fortunately, the validity of the phase- 
randomization assumption can be confidently guaranteed by actively randomizing the phase 
of each signa., which has only been demonstrated in a recent experiment Q. See, however, 
|16j for a security proof that does not require the phase randomization assumption. 

The validity of the coherent state assumption is also questionable. For example, it is 
common to use pulsed laser diodes as sources in QKD experiments. These laser diodes are 
driven by pulsed electrical currents. When the driving current is switched on, it will take 
a short while before the laser's gain reaches its stabilizing threshold. During this transition 
period, the output from the diode cannot be viewed as coherent state. Therefore, it is not 
rigorous to consider the entire pulse as a coherent state. 

A more severe problem comes from the standard bi-directional (so-called "plug & play" ) 
design which is widely used in commercial QKD systems. In this particular scheme, 
bright pulses are generated by Bob (a receiver) rather than Alice (a sender). The pulses 
will travel through the channel, which is fully controlled by Eve (an eavesdropper), before 
entering Alice's lab to get encoded and sent back to Bob. Eve can perform arbitrary opera- 
tion on the pulses when they are sent from Bob to Alice. In the worst case, Eve can replace 
the original pulses by her own sophisticatedly prepared optical signals. Such an attack is 
called the Trojan horse attack [l8(. Therefore, it is highly risky to assume that Alice uses a 
coherent state source in the security analysis of "plug & play" QKD systems. 
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Previously, a qualitative argument on the security of bi-directional QKD system was 



provided in 



18] . The intuition is to show that by applying heavy attenuation, an input state 



with arbitrary photon number distribution can be transformed into an output state with 
Poisson-like distribution. However, it is challenging to quantify how close to the Poissonian 
state the output state is. 

We start from another intuition: we look into the actual photon number distribution 
created by the internal loss of Alice's local lab. The phase randomization can transform 
arbitrary input state into a classical mixture of number states 



. By modeling the internal 



loss inside Alice's local lab as a beam splitter, for each particular input photon number, the 
photon number of output state obeys binomial distribution. Note that this is not a binomial- 
like, but a rigorous binomial distribution. The analysis of binomial distribution is in general 
harder than that of Poisson distribution. However, in this way we can quantitatively and 
rigorously analyze its security. 

The discovery of decoy methods can dramatically improve the performance (by means 



of 



ligher key rate anc 




er transmission distance) of coherent laser based QKD systems 
2611 . The deco y m ethod has been experimentally demonstrated 



over long distances 



In decoy state QKD, each bit is randomly assigned as a signal state or one of the decoy 
states. Each state has its unique average photon number. These states can be prepared 
by setting different internal transmittances A in Alice's local lab. For example, if a bit is 
assigned as a signal state, the internal transmittance for this bit will be Xs- If a bit is 
assigned as a decoy state, the internal transmittance for this bit will be Xd ^ X$. Normally 
Xd < Xs- 

In previous analysis on decoy state QKD 
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261 ]. one important assumption is 



that the yield of n photon state Y n in signal state is the same as Y n in decoy state, i.e., 
Y~ = . Here Y n is defined as the conditional probability that Bob's detectors generate 



a c 
of 



ick given that Alice sends out an n photon signal. This is true because in the analysis 
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261 ] Eve knows only the output photon number n of each pulse. Another 



fundamental assumption is that the quantum bit error rate (QBER) of n photon state e n 
in signal state is the same as e n in decoy state, i.e., = e%. Note that, once Eve knows 
some additional information about the source, the above two fundamental assumptions will 
fail [351 ] . 
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We emphasize that in the case of "Plug & Play" QKD, Eve knows both the input photon 
number m and the output photon number n. Therefore she can perform an attack that 
depends on the values of both m and n. In Section IV I Al and Appendix El we show explicitly 
that 7^ Y® and ef 7^ in this case. The parameters that are the same for both the 
signal state and the decoy states are Y m ^ n (the conditional probability that Bob's detectors 
click given that this bit enters Alice's lab with photon number m and emits from Alice's lab 
with photon number n) and e m ,n (the QBER of bits with m input photons and n output 
photons). 

In brief, there is more information available to Eve once she controls the source. The 
security analysis for decoy state QKD in this case is much more challenging. 

In this paper, we analyze the most general case: we consider the source as controlled by 
Eve. Therefore the source is completely unknown and untrusted. Rather surprisingly, we 
show that even in this most general case, the security of the QKD system can be analyzed 
quantitatively and rigorously. We also show that the decoy method can still be used to 
enhance the performance of the system dramatically when the source is unknown and un- 
trusted. For the first time, we show quantitatively that the security of "plug & play" QKD 
system is understandable and achievable. Moreover, we show what measures are necessary 
to ensure the security of the QKD system, and rigorously derive a lower bound of the secure 
key generation rate. Our numerical simulation results show that QKD with an untrusted 
source gives a key generation rate that is close to that with a trusted source. 

It is important to implement QKD with testable assumptions. In this paper, we showed 
that the coherent source assumption can be removed. Nonetheless, we still keep a few 
standard assumptions including single mode assumption, phase randomization assumption, 
etc. in our security proof. To ensure that our assumptions of single-mode and phase ran- 
domization are satisfied in practice, we propose specific experimental measures for Alice to 
implement. More concretely, we propose that Alice uses a strong filter to filter out other op- 
tical modes and uses active phase randomization to achieve phase randomization. It would 
be interesting to see the security consequence of removing, say, the single mode assumption. 
However, this is beyond the scope of this work. 

This paper is organized in the following way: in Section II, we propose some measures 
that should be included in the QKD set-up, and a key term - "untagged bit" - is defined; 
in Section III, we study the experimental properties of the untagged bits; in Section IV, 
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the photon number distribution for untagged bits is analyzed; in Section V, we prove the 
security of practical QKD system with unknown and untrusted source, and explicitly show 
the equation for the key generation rate; in Section VI, we prove the security of two decoy 
state protocols - the weak+vacuum protocol and the one-decoy protocol - with unknown 
and untrusted sources; in Section VII, numerical simulation results are shown; in Section 
VIII, we present our conclusion and discuss future directions. 



II. MEASURES TO ENHANCE THE SECURITY 



Here we will use three measures, which were briefly mentioned in [18J, to enhance the 
security of the system. A general system that has applied these measures is shown in Fig. [TJ 
There are various sources of losses inside Alice's apparatus. Here we model all the losses as 
a A/(l — A) beam splitter. That is, the internal transmittance of Alice's local lab is A. We 
assume that Alice can set A accurately via, say variable optical attenuator. In other words, 
for any photon that enters the encoding arm, it has a probability A to get encoded and sent 
out from Alice. 

1. We pointed out and demonstrated in [l^j that the side-channel can be exploited by 
Eve to acquire additional information. To shut down these side-channels, we need to 
place a filter (Filter in Fig. [T|) which works in spectral, spatial, and temporal domains. 
In other words, only pulses of the desired mode can pass through the filter. Therefore, 
we can use single mode assumption for each signal. Incidentally, the single mode 
assumption may not hold for an open-air QKD set-up. This is because 1) the free 
space will not suppress the propagation of higher modes and 2) the collection system 
at Bob's side can only collect part of the beam sent from Alice. 



2. The phase randomization is a general assumption made in most security proofs on 

nnn 

practical set-ups |5|, |6|, |20|] . It can disentangle the input pu 
it into a classical mixture of 



se from Eve by transforming 
bck states Y^=oPn\ n ) ( n \ 3- Its feasibility has been 



experimentally demonstrated 15| . Alice should apply the phase randomization on the 
input optical signals. In Fig. [U this is accomplished by the Phase Randomizer. 

3. We need to monitor the pulse energy to acquire some information about the photon 
number distribution. By randomly sampling a portion of the pulses to test the photon 
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FIG. 1: A schematic diagram of the set-up that coped with the three measures as suggested: Filter 
is used to guarantee the single mode assumption; Phase Randomizer is used to guarantee the phase 
randomization assumption; Optical Switch and Intensity Monitor are used to randomly sample the 
photon number of input pulses. All the internal losses inside Alice's local lab is modeled as a 
A/(l — A) beam splitter. That is, any input photon has A probability to get encoded and sent 
from Alice to Bob, and 1 — A probability to be discarded into the Garbage. A4 and N are the 
random variables for input photon numbers and output photon numbers, respectively. Note that 
in a standard "plug & play" setup, the actual source is inside Bob's local lab. However, Eve can 
replace the pulses sent by Bob with arbitrary optical signals. This is equivalent to the general case 
in which Eve controls the source. 

numbers, we can estimate some bounds on the output photon number distribution as 
shown in the following sections. In Fig. [H this is accomplished by the Optical Switch 
and the Intensity Monitor. 



Suppose that 2K pulses entered Alice's local lab, within which K pulses were randomly 
chosen by the Optical Switch in Fig. [1] for testing photon numbers (these pulses are called 
"sampling bits"), and the rest K pulses were encoded and sent to Bob (these pulses are 
called "coding bits"). Define the pulses with photon number m 6 [(1 — S)N, (1 + S)N] as 
"untagged" bits, and pulses with photon number m < (1 — 8)N orm> (1 + 5)N as "tagged" 
rits. Note that the definitions of "untagged" and "tagged" here are different from those in 
s|. From random sampling theorem (see, like, 36]) we know that the probability that 
there are less than A' A tagged sampling bits and more than (A + e)K tagged coding bits 
is asymptotically less than e -°( £2K ), £ should be chosen under the condition that e 2 K ^> I. 
Therefore there are no less than (1 — A — e)K untagged coding bits with high fidelity. 
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In the following discussion, we will focus on these (1 — A — e)K untagged bits. Of 
course, there can also be some untagged bits in the rest (A + e)K bits, but neglecting these 
out-of-scope untagged bits just makes our analysis conservative. 

TV and S can, in principle, be arbitrarily chosen. However, some constraints will be applied 
to optimize the key generation rate. We will discuss the optimal choice later. 



III. PROPERTIES OF THE UNTAGGED BITS 

In QKD experiments, the two most important measurable outputs are the gain [37j and 
the QBER. In our analysis, we are more interested in the gain and the QBER of the untagged 
bits. This is because the input photon numbers of the untagged bits are concentrated within 
a narrow range, making it much easier to analyze the security. 

However, Alice cannot in practice perform quantum non-demolishing (QND) measure- 
ment on the photon number of the input pulses with current technology. Therefore, she does 



not know which bits are tagged and which are untagged. As a result, the gain 37] Q and 
the QBER E of the untagged bits cannot be measured experimentally. Here Q is defined as 
the conditional probability that Bob's detector clicks given that Alice sends out an untagged 
bit and Alice and Bob use the same basis; E is defined as the conditional probability that 
Bob's bit value is different from Alice's given that Bob's detector clicks, Alice sends out an 
untagged bit, and Alice and Bob use the same basis. 

In an experiment, Alice and Bob can measure the overall gain Q e and the overall QBER 
E e . The subscript e denotes the experimentally measurable overall properties. Moreover, 
they know the probability that certain bit to be tagged or untagged from the above analysis. 
Although they cannot measure the gain Q and the QBER E of the untagged bits directly, 
they can estimate the upper bounds and lower bounds of them. The upper bound and lower 
bound of Q are 

Q Q > 



Q e -A-e, [L) 

Q = max(0, 



1- A-e ' 

The upper bound and lower bound of E ■ Q can be estimated as 

E~Q QeEe 



1 " A " £ (2) 
E.Q = max(0, ^~ A - g ), 



s 



To get tighter bounds on Q and E-Q, we need to minimize A, which means that 5 should 
be made large so as to minimize the amount of tagged bits. See, however, discussion after 
Eqs. (SD. 



IV. PHOTON NUMBER DISTRIBUTION OF UNTAGGED BITS 



Consider an untagged bit with input photon number m G [(1 — S)N, (1 + S)N]. The 
conditional probability that n photons are emitted by Alice given that m photons enter 
Alice obeys binomial distribution as 



PJm) 



A n (i- xy 



(o < a < i; 



(3) 



For untagged bits (i.e., m G [(1 — 5) N, (1 + 5) N}), we can show that the upper bound 
and lower bound of P n {m) are: 



(1_A)(^, 
(( 1+<5 ) JV )A ri (l - A)( 1+<5) 
0, 



N—n 



Pr, 



if n = 0; 

if 1 < n < (1 + 5)N; 
if n > (1 + 5)N; 

if n = 0; 

if 1 < n < (1-5)N; 
if n > (1-5)N; 



(4) 



(1_A)(W, 

0, 

v 

under Condition 1: 

(1 + 5)AA<1. (5) 

Condition 1 suggests that the expected output photon number of any untagged bit should 
be lower than 1. This is easy to implement experimentally. For example, for N = 10 6 , Alice 
can simply set A = so that the expected output photon number is 0.1. Most reported 
BB84 implementations satisfy Condition 1. 

To get tighter bounds on P n (m), we need to minimize 5. However, as we discussed below 
Eq. (T5]), minimizing 5 will lower the amount of untagged bits (i.e., there will be fewer pulses 
contain photon number m G [(1 — 5) N, (1 + 5) N] as the bound becomes narrower), thus 
loosening the bounds on the gains and QBERs of untagged bits. As a summary, there is a 
trade-off between the tightness of the bounds of P n {m) and the tightness of the bounds of 
Q and E ■ Q. The optimal choice of 5 depends on the properties of specific system, and can 
be obtained numerically. 
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V. GENERALIZED GLLP RESULTS WITH UNTRUSTED SOURCE 

From the work of Gottesman-Lo-Liitkenhaus-Preskill (GLLP) the secure key genera- 
tion rate of standard BB84 protocol [l| is given by 

R > \{-Q e f{E e )H 2 {E e ) + QQ[1 - H 2 (^)}}, (6) 

where 1/2 is the probability that Alice and Bob use the same basis, Q e and E e are obtained 
experimentally, /(> 1) is the bi-directional error correction inefficiency jssj], and 

n = i-£, (7) 

where Pm = Yl^=2 Pnijn) is the probability of output multiphoton signals. Recall that if 
the input photon number m — (1 + S)N, we have 



P n {(l + 6)N) 



Pn, if n = 0; 
K, if n> 1. 



Therefore Po + Y^=i Pn = 1- The upper bound of Pm is Pm = Y^n=2 Pn — 1 — Po ~ P\i an d 
the lower bound of Q is 

The lower bound of Qf2 is thus given by 

Qn = Q-PTi = Q + Po+Ti-l, (8) 

where Q can be obtained via Eq. (CQ). 

Plugging Eq. (jSJ) into Eq. ([6]), we have the key generation rate per bit sent by Alice, 
given an untrusted source is used, as 

R > k-Qef(E e )H 2 (E e ) + (Q + Po + Pl- 1)[1 - H 2 ( ^ )]}. (9) 
The numerical simulation of the above analysis is presented in Section IVHI 



VI. COMBINING WITH DECOY STATES 



Decoy method 19j, |20|, |2l|, |22j, |23|, |2J, |25| significantly improves the performance for QKD 
systems with coherent state source. Here, we will show that the idea of decoy states can 
also be useful when the source is unknown and untrusted. 
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A. Weak+vacuum protocol 

Among all the decoy state protocols, the weak+vacuum protocol is the most popular one. 



It is shown to be the optimal protocol in asymptotic case [22[]. 'Asymptotic" here means 
infinitely long source data sequence. The weak+vacuum protocol has been used in most 
experimental decoy state QKD implementations 28, 29, 30, 31, 32| . 

In weak+vacuum protocol, there are three states: the signal state (for which the internal 
transmittance of Alice is As), the weak decoy state (for which the internal transmittance of 
Alice is Ad < As), and the vacuum state (for which the internal transmittance of Alice is 
0). We consider that only the signal state is used to generate the final key, while the decoy 
states are solely used to test the channel properties. 

The error correction will consume 

r EC = Q S J{E s e )H 2 {E s e ) (10) 

bit per signal sent from Alice, where and Ef are the overall gain and overall QBER of 
signal state, H 2 is binary Shannon function. 

The probability that Alice sends out an untagged signal which is securely transmitted to 
Bob is 

rp A = (l-A-e)Qf[l-F 2 (ef)], (11) 

where Qf and ef are the gain and the QBER of single photon state in untagged bits. This 
is because Alice and Bob can, in principle, measure the input photon number m and the 
output photon number n accurately and therefore post-select the untagged bits with n — 1. 
They can then use these post-selected single-photon untagged bits to generate the secure 
key. In practice, QND measurements on m and n by Alice are not feasible with current 
technology. However, Alice and Bob know the probability of certain bit to be untagged. 
They can use random-hashing method to perform privacy amplification to distill the secure 
key. Similar technique was used in Q]. 

The key generation rate in standard BB84 protocol is therefore given by 

R > \{tpa - r EC ) > \{-Q S e f{E s e )H 2 {E s e ) + (1 - A - e)Qf [1 - H 2 @))}, (12) 

where 1/2 is the probability that Alice and Bob use the same basis. 

<5f > Ee> A> an d £ can be determined experimentally. Our main task is to estimate Qf 
and ef . 



11 



In previous analysis on decoy state QKD |20l . l2ll . |22j, |26(, one important assumption is 
that the yield of n photon state Y n in signal state is the same as Y n in decoy state, i.e., 
Y~ = ■ Here Y n is defined as the conditional probability that Bob's detectors generate a 
click given that Alice sends out an n photon signal. This is true because in the analysis of 



20 
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261 ] Eve knows only the output photon number n of each pulse. However, as we 
will show below, this assumption is no longer valid in the case that the source is controlled 
by Eve. 

The key point is that Eve knows both the input photon number m and the output photon 
number n when she controls both the source and the channel. Therefore she can perform 
an attack that depends on the values of both m and n. In this case, the parameter that is 
the same for these states is Y m>n , the conditional probability that Bob's detectors click given 
that this bit enters Alice's lab with photon number m and is emitted from Alice's lab with 
photon number n. In this case, Y n is given by (see Appendix [A] for details) 

Yn = J2 P i m \ H } Y ^ ( 13 ) 

m 

where P{m\n} is the conditional probability that the signal enters Alice's local lab with 
photon number m given that it is emitted from Alice's lab with photon number n. Note 
that P{m\n} is dependent on the internal transmittance of Alice's apparatus A. Since 
As 7^ A D , we know that F n s ^ Y® . 



Another fundamental assumption for previous decoy state security studies [2QJ, |21|, 122| 
is that the QBER of n-photon state e n is the same for signal state and decoy state, i.e., 
e n = e n ■ Unfortunately, from a similar analysis as above, we can show that ^ if Eve 
controls the source. The parameter that is the same for the signal state and the decoy states 
is 6771,71- 

As a brief summary, in decoy state QKD, if the source is in Alice's local lab and is solely 
accessible to Alice (that is, the source is trusted), we have Y^ = Y® and = e^, whereas if 
the source is out of Alice's local lab and is accessible to Eve (that is, the source is untrusted), 
we have Y m n = Y m n and e m n = e m n . 

The dependence of Y n and e n on different states (signal state or one of the decoy states) 
is a fundamental difference between decoy state QKD with untrusted source and decoy state 
QKD with trusted source. In the latter case, the independence of Y n and e n on different states 
is a very powerful constraint on Eve's ability of eavesdropping. However, this constraint is 
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removed once the source is given to Eve. 

Eve's control over the source removes the two fundamental assumptions in 
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22). 



Eve is given significantly greater power, and the security analysis is much more challenging. 
However, rather surprisingly, it is still possible to achieve the unconditional security quan- 
titatively even if the source is given to Eve. This is mainly because we are only focusing 
on the untagged bits, whose input photon numbers are concentrated in a relatively narrow 
range. Therefore we are still able to estimate Qf and ef . 

Proposition 1: the lower bound of Qf for untagged bits is given by 



Qf > Qf = Pi 



under Condition 2: 



A5 (l + S)N-2 
\ D > (l-8)N-2 



Q D P 2 S 



Q S P 2 D 



(P$P° - P»Pi)Q 



)V 



28N(1-\ D ) 2 



[{1-S)N+1]\ 



P?Pi - PfP 2 D 



(14) 



1 + S)N - 2 
25N 



2SN 
(l-S)JV— 2 



1 + 6)N - 2 e 2 



[l-5)N- 2 25N 



2[(l-d)N-2] 



(15) 



Here Q s , Q D and Q v are the gains of untagged bits of the signal state, the decoy state, 
and the vacuum state, respectfully. Their bounds can be estimated from Eqs. flTJ). The 
bounds of the probabilities can be estimated from Eqs. (j3J). Note that Condition 2 is easy 
to meet. For example, in the numerical simulation in Section IVH) we chose N = 10 6 and 
5 = 0.01. In this case we can calculate Condition 2 as ^ > 1.104, which is very reasonable 



Actually 
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28 



29|, 



A.sVAp is usuai 
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32|, 



33 



lv greater than 2 in previous decoy state 



34]. 



to meet experimentally. 
QKD implementations 
Proof: Appendix [Bj 
Proposition 2: the upper bound of ef for untagged bits is given by 



E S Q S - P£E V Q V 
Of" 



ef < ef 



(16) 



in which E s and E v are the QBERs of untagged bits of the signal and the vacuum states, 
respectively. E S Q S and E V Q V can be estimated from Eqs. 
Eqs. 



). Pq can be estimated by 



). Qf is given by Eq. (TT4]l . 
Proof: Appendix [Cl 

Plugging Eqs. (fllj) & (JIB]) into Eq. f|T2l . we can easily calculate the overall key generation 
rate of weak+vacuum decoy state QKD protocol given the source is under Eve's control. 
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B. One-decoy protocol (asymptotic case) 

The one-decoy protocol is the simplest decoy state protocol. In the one-decoy protocol, 
there are only two states: a signal state and a weak decoy state. It can be viewed as a 
simplified version of the weak+vacuum protocol since it does not have the vacuum state. 



The one-decoy protocol is of practical interest, particularly due to the difficu 



27 



33 



ty of prepar- 



34|- 



ing perfect vacuum state. It has also been widely used in experiments 

Here, we will show that the one-decoy protocol is also applicable when the source is under 
Eve's control in the asymptotic case. The asymptotic case means that Alice sends infinitely 
long bit sequence (K ~ oo). 



In the one-decoy protocol, there is no vacuum state. Therefore we cannot measure Q 



or EY , which means we cannot use Eqs. (TTT) to estimate Q v in Eq. (1141) or use Eqs. ([2]) to 



estimate E V Q V in Eq. (TT61) . Nonetheless, we can still estimate Qf and ef . 

Proposition 3: In absence of the vacuum state, a lower bound of Qf and an upper 
bound of ef for untagged bits are given by 



Q' = Pi 



s- 



P-=E V [(1-<5)JV+1]! 



pD pS pS pD 
M £g - f_l ^2 (17) 



e 



s 



Of 



respectively under Condition 2 in the asymptotic case. Here Q s and Q D are the gains of 
untagged bits of the signal state and the decoy state, respectively. Their bounds can be 



estimated from Eqs. ([T]). E s is the QBER of untagged bits of the signal state. E s ■ Q 3 
can be estimated from Eqs. ([2]). E = 0.5 in the asymptotic case. The bounds of the 
probabilities can be estimated from Eqs. (jl]). 
Proof: Appendix [Dl 

Plugging Eqs. ( fl7|) into Eq. ( fl"2l) . we can easily calculate the overall key generation rate 
of one-decoy protocol given the source is under Eve's control. 



14 



VII. NUMERICAL SIMULATION WITH COHERENT SOURCE: 

ASYMPTOTIC CASE 

In the asymptotic case, Alice sends infinitely long bit sequence (K ~ oo). Therefore we 
can consider e ~ 0. 

A. Calculating A 

For any 5 G [0, 1], we can calculate A by 

A = 1 - [$(iV + 5N) - $(iV - SN)], (18) 

where $ is the cumulative distribution function of the photon number for the input pulses. 

Most QKD set-ups are based on coherent sources, which means that the input photon 
number m obeys Poisson distribution. It is natural to set N to be the average input photon 
number. For a Poisson distribution centered at N, its cumulative distribution function is 
given by 

r([s+lJ,AQ 

where F(x,y) is the upper incomplete gamma function 

POO 

T(x,y) = / t x - x e~ l dt. 
Jy 

It is complicated to calculate $ p (x) numerically, particularly for large x. Therefore in 
numerical simulation, we approximate the Poisson distribution by a Gaussian distribution 
centered at N with a variance a 2 = N. Note this is an excellent approximation for large N. 
The Gaussian cumulative distribution function is given by 

*,(*) = i[l + erf(^=)], (19) 

where 

f X 



e~ t2 dt 



f( ^ 2 f 
ert{x) = —j= \ 

is the error function. Notice that erf(cc) is an odd function, from Eqs. (fT8l) ( [T9l) we have 
A = 1 - [$ g (N + 8N) - §g{N - 5N)} 



1 5N -5N [W ^ ) 

1 _ 1 erf 4= - erf(-= = 1 - erf(y —8). 
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B. Simulating experimental outputs 

If the photon number of an input pulse obeys Poisson distribution with average photon 
number N, the photon number of the output signal also follows Poisson distribution with 
average photon number NX. 

For a QKD setup with channel transmittance 77 (= e~ al , where a is the loss coefficient and 
I is the distance between Alice and Bob), Bob's quantum efficiency rjBob, detector intrinsic 
error rate edet and background rate Y , the gain and the QBER of the signals are expected 



to be 



22] 



Q e = Y + 1 - exp(-?7?7BobiVA), 

e Q Y Q + e det [l - exp(-r]r] Boh NX)] ( 21 ) 

E ' = Q. ' 

The experimental outputs are clearly determined by Alice's internal transmittance A which 

needs to be set before the experiment. In our simulation, the optimal values for As and \o 
are selected numerically via exhaustive search. 

With these simulated experimental outputs, we can calculate the lower bound of key 
generation rate from Eqs flD, ©, (@]), §D, flU, PH^- 



Simulation results 



39j as shown in Table [H 



Our simulation is based on the parameters reported by 

We choose to set N = 10 6 , which is very reasonable: if the wavelength is 1550 nm and 
the pulse repetition rate is 1 MHz, the average input laser power will be ~ 0.128/iW, or 
—38.9 dBm. Even if the channel loss from the source to Alice is 40dB (~ 200km telecom 
fiber), the required average output power from the source is ~ 1.28mW, which can be easily 
provided by many commercial pulsed laser diodes. We chose S to be 10 standard deviations 
as 5 = 0.01. 

The simulation result for GLLP protocol is shown in Fig. [2j We can see that the key 
generation rate with an untrusted source is very close to that with a trusted source. Their 



TABLE I: Simulation Parameter from GYS 
VBob a Y e de t 

4.5% 0.21dB/km 1.7 x 10~ 6 3.3% 
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FIG. 2: Simulation of GLLP protocol for N = 10 6 and 5 = 1%. Citing GYS [39j data. Inset: 
the magnified tail. The two cases (with a trusted source and with an untrusted source) give very 
similar results. We need to magnify the tail (see the inset) to see the slight advantage gained by 
using a trusted source. We calculated the ratio of the key generation rate with an untrusted source 
over that with a trusted source. The ratios are 98.0%, 97.7%, and 75.3% at km, 20 km, and 
40km, respectively. 

difference is almost negligible, and is only visible by magnifying the tail (see the inset). 

The simulation result for weak+ vacuum protocol is shown in Fig. [31 We can see that the 
key generation rate with an untrusted source is still very close to that with a trusted source. 
By simply comparing the maximum transmission distances, we can see that the difference 
is merely 5 km for weak+vacuum decoy state protocol. 

The simulation result for one-decoy protocol is shown in Fig. |H We can see that the key 
generation rate with an untrusted source is still very close to that with a trusted source. 
The difference of maximum transmission distances is merely 8 km. 

The above results are surprisingly good because we did not assume any a priori knowledge 
about the source in the security analysis. In other words, Alice and Bob do not know the 
fact that the source is Poissonian and therefore they cannot assume any photon number 
distribution. 



17 



_ 10" 

CD 
_co 

=3 
Q- 

o 10" 
a. 

0) 
Cfl 
DC 

o 
'-*—> 

CD _g 

g io 8 
o 

>, 

CD 

* io" 10 



10" 







Untrusted Source 
Trusted Source 



50 100 
Distance (km) 



150 



?IG. 3: Simulation of weak+vacuum decoy state protocol for N = 10 6 and 5 = 1%. Citing GYS 
391 ] data. The two cases (with a trusted source and with an untrusted source) give very close 
results. We calculated the ratio of the key generation rate with an untrusted source over that with 
a trusted source. The ratios are 77.3%, 76.8%, and 73.6% at km, 50 km, and 100km, respectively. 

One important reason for achieving this high performance is that we applied heavy at- 
tenuation on the input pulses. Note that the input pulse has ~ 10 6 photons, while the 
output pulse has less than one photon on average. The internal attenuation of Alice's local 
lab is greater than -60dB. We know that heavy attenuation will transform arbitrary photon 
number distribution into a Poisson-like distribution. 

As we mentioned before, 5 can be arbitrarily chosen. However, choosing 5 too large or too 
small will make the security analysis less optimal (i.e., conservative). Examples are given in 
Fig. [5j We can clearly see that inappropriate choice of 5 can deteriorate the performance 
of the system. The one-decoy protocol with untrusted source is particularly sensitive to the 
value of 5. 

The analytical optimization of 5 can be complicated. Here we just study this problem 
numerically. We calculated the maximum possible transmission distances for different 5. 
The results are shown in Fig. [6j We can clearly see that there is an optimal choice of 5. 
Note that our analysis is valid for arbitrary value of 5. The optimal value of S will give us 
the optimal (while still being rigorous) estimate on the security of the system. Alice and 
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FIG. 4: Simulation of one-decoy protocol for N = 10 6 and 5 = 1%. Citing GYS 
cases (with a trusted source and with an untrusted source) give very close results. We calculated 
the ratio of the key generation rate with an untrusted source over that with a trusted source. The 
ratios are 68.6%, 67.1%, and 37.1% at km, 50 km, and 100km, respectively. 

Bob do not need to choose a certain value of 5 before the experiment. They only need to 
find an optimal value of 5 during the data post-processing. 

The flat top in the curve of Fig. O suggests the insensitivity of the maximum transmis- 
sion distance on 5 in a wide range. We can see that the maximum transmission distance 
changes only 8% within the range of S from 5 standard deviations to 100 standard devi- 
ations. Therefore in practice, one can simply set 5 to be a few standard deviations and 
achieve near-optimal results. 



VIII. CONCLUSION 



In this paper, we present the first rigorous quantitative security analysis of a QKD system 
with an unknown and untrusted source. This analysis is particularly important for the 
security of a standard "Plug & Play" system. We showed that, rather surprisingly, even with 
an unknown and untrusted source, unconditional security of QKD system is still achievable, 
with and without the decoy method. Moreover, we explicitly give the experimental measures 
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(b)Simulation for N = 10 6 and 6 = 11%. 



391 ] data. 



(a) Simulation for N = 10 6 and 6 = 0.4%. 

FIG. 5: Simulation results for too small (a) and too large (b) values of 5. Citing GYS 
Both figures show key rates of different protocols with untrusted source. 

that have to be taken to ensure the security, and the theoretical analysis that can be directly 
applied to calculate the final secure key generation rate. One can easily extend our analysis 
to understand the security of QKD network, in which the source is often untrusted. 

For the first time, the unconditional security of the "plug & play" QKD system with 
current technology is made possible by us. The "plug & play" structure has clear advantage 
over uni-directional structure since it does not require any active compensation on the phase 
or the polarization. The self-compensating property of the "plug & play" structure makes 
it much simpler to implement than the uni-directional structure, and makes it much quieter 
(i.e., much lower QBER). All the commercial QKD systems 4CJ, l4JJ are based on this simple 
and reliable structure. However, the lack of rigorous security analysis has been an obstacle 
for its development for a long time. With our straightforward theoretical and experimental 
solution, we expect the "plug & play" structure to receive much more attention. 

The security of practical QKD systems is a serious issue. Recently, several quantum 



hacking works have been reported |14|, |42j] . It is very important to implement QKD system 
based on tested assumptions. There are still several crucial imperfections that are not 
analyzed in this paper. For example, how can we understand the imperfection due to 
non- single-mode (note that this is particularly important for free-space QKD)? How can 
we analyze the fluctuation of internal transmittance A? Also, how can we test the key 
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FIG. 6: Maximum transmission distances of weak+vacuum protocol for various choices of Ss. 

assumptions in our analysis: Y^ n = Y® n and ef nn = e^ n ? These question marks suggest 
us a simple fact: although we are approaching the unconditional security of practical QKD 
set-up, we are not there yet. 

We thank enlightening discussions with C. H. Bennett, C.-H. F. Fung, D. Gottesman, D. 
F. V. James, X. Ma, J.-W. Pan, L. Qian, and X.-B. Wang. Support of the funding agencies 
CFI, CIPI, the CRC program, CIFAR, MITACS, NSERC, OIT, and PREA is gratefully 
acknowledged. 
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We set A4 as the random variable of the input photon number, M as the random variable 
of the output photon number, and C as the random variable of Bob's detector status (y = 
detection, n = no detection). Y n is then given by the conditional probability 



APPENDIX A: DERIVATION OF Y r 



Y n = Pi{C = j\M = n}, 



(Al) 



and Y m>n is given by the conditional probability 



Y, 



m,n 



Pr{C = y\M = n&M = m}. 



(A2) 
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Y n can be expended as 



Y n = Pr{C = y|jV = n} 
Pi{C = y&W = n} 



Pr{A/" = n} 

Pr{C = y&W = n&M = m} 
Pr{A/" = n} 

Pr{W = n&M = m} Pr{C = y&W = n&M = m} 



£ 

m=0 
oo 

E 

m=0 
oo 

Pr{M = m\M = n}Pr{C = y|W = n&M = m} 

m=0 

oo 

^P{m|n}F min . □ 



m=0 



APPENDIX B: ESTIMATE OF Qf 



From definition 



3 71 ] , we know that the gain of untagged bits is given by 



(l+S)N oo 

Q= E ^P in (m)P n (m)F min , 

m=(l-<J)iV n=0 

where P m (m) is the probability that the input signal contains m photons (i.e., the ratio of 
the number of signals with m input photons over K), P n (m) is the conditional probability 
that the output signal contains n photons given the input signal contains m photons, and 
is given by Eq. (J3]). 

The gains for signal, decoy, and vacuum states in untagged bits are therefore given by 

(1+<5)7V oo 

m=(l-<5)7V n=0 
(1+S)N oo 

Q D= E E P -H^(^)^,n, (Bl) 
m=(l-<5)7V n=0 
[1+S)N 

m=(l-S)N 

respectively. Here P n (m) is P n {m) for the signal/decoy state. Their bounds can be 
estimated from Eqs. (j4|). Q s l D l y cannot be measured experimentally, but their upper 
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bounds and lower bounds can be estimated from Eqs. (CD). Note that A S ^ D ^ V should be 
determined experimentally. In asymptotic case, A s = A D = A v . If the bit sequence sent 
by Alice is finite, A s l D l y may not be exactly the same due to statistical fluctuation. 
We know that 

(l+S)N (1+8)N 

Qi= P Um)P?MY m ,i>Pl PUm)Y m>1 = P[Z 1 , (B2) 

m=(l-<5)JV m=(l-S)N 

in which Pf can be calculated from Eqs. (jl]), and Z\ is defined as 

(1+8) N 

Z x = Yl PUm)Y mtl . (B3) 

m=(l-S)N 

If we can put a lower bound on Z\, we will be able to estimate the lower bound of Qf. 

Z\ clearly arises from the contribution of single photon signals. A natural strategy is 
to find an appropriate linear combination of Q s and Q D , in which the multi-photon signal 
contribution is minimized (while keeping it positive) so that we can set a lower bound on it 
as zero. Among all the multi-photon signals, the two photon signal has much greater weight 
than signals with more photons. Therefore, we will try to eliminate the two-photon signal 
contribution first. Note that we can easily estimate the contribution of vacuum signals from 
Q v and E v . 

Eqs. (gD show that P$ < P n 5 (m) < Pj and P° < P%{m) < P° for untagged bits. 
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Combining them with Eqs. (1B1I) . we have 

{1+5)N oo 

Q s lf-Q D Pl= E ^HE^H^-^H^]^ 

m=(l-<5)JV "=0 
(l+<5)iV oo 

> E Ph(m)^gf-f^]F m , n 

m=(l-<5)7V n=0 
oo (l+5)iV 

n=0 m=(l-<5)iV 

(l+<5)Af (1+S)N 

= a E ^m(m)^m,0 + «1 E P in{m)Y m>1 
m=(l-S)N m=(l-S)N 

(l+S)N {1-8)N (1+S)N 

+ (PifF -P?Pt) E P m(m)F mi2 + E fl 2W E P inH^m,n + a 3 
m=(l-<5)JV n=3 m=(l-S)N 

(1+S)N {1+S)N 

E Pin(m)Y m 

m=(l-<5)7V m=(l-<5)JV 
(1-<5)7V (l+«5)iV 

+ E a 2( n ) E ^11(^)^^ + 03 
n=3 m=(l-<5)7V 
(1-5) AT 

= a Z + a 1 Z 1 + E a 2{n)Z 2 {n) + a 3 

n=3 



where 



(B4) 



a = Pi P 2 D - P D Pl, (B5) 

ai = Pflf-lfPl, (B6) 

a 2 (n) = P^W -P?P£, (B7) 

(1+5)JV (l+«5)iV (1+5)JV 

A3 = - E E P U™)Y m , n = - E Wf^W; (B8) 

n=(l-S)N+l m=(l-6)N n=(l-S)N+l 
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and 

(1+5) N 

Z = P m(m)F m ,o = Q v ; (B9) 

m=(l-<5)7V 
(1+5) N 

Z 2 {n) = P Um)Y m , n ] (BIO) 

m=(l-S)N 
{1+S)N 

Z ^ n ) = PUm)Y nhn . (Bll) 

m=(l-S)N 

Note that in Eq. flB4j) . when n = 2, the term P^P® ~ ^n^i = 0' which means we 
have removed the contribution from the two-photon signals. Our strategy is clear now: the 
contribution of vacuum signals (ao-^o) can be easily bounded as ao can be calculated from 
Eqs. f)B5j) and an upper bound of Z is given by Z = Q v , which can be calculated from 
Eqs. (1T1); the contribution of single photon signals (fli-Zi) is to be estimated while we know 
the exact value of a\\ we need to put some bounds on the higher order terms (a>2 and 03) to 
complete an estimate of Z\. As we will show below, a\ is negative under certain condition. 
Therefore we should put a lower bound on the higher order terms to find the lower bound 
of Z x . 

Lemma 1 

d\ is negative under Condition 2a: 

As (1 + 6)N-1 

x D > (i -5)n- r 

Proof: 

Expand Eq. (IB6I) we have 
a^Pflf-PpPi 



(1 - 5)NX S (1 - Xs) i^ )N ^^)N[(l^)N-l] xUl _ Ad)(W - 2 
(1 + S)NX D (1 - A^d^-i ^-^W-^-^ AK! _ x s) (^-z 



2 

N 2 (l - 5 2 )X 2 S X 2 D (1 - XsY 1 - 5 ^- 2 ^ - X D Y 1+5 ^ N - 2 



[1 + S)N-1 0--QN-l_ ■ 



2Xs 2Xd 

(B12) 

For Eq. (1B12I) we can see that a\ < under Condition 2a: 

Ag (1 + S)N-1 n 
X D (1-5)N-1 
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Lemma 1' 

ao is negative under Condition 2a. 
Proof: 



a = P S P 2 D - P D P 2 S 



(1 - ^tfflMM^ _ a 5 )(^- 

-(1 - X S )^ N - 2 (1 - X D )^ N {(1 - X S ) 25N+2 (1 + 8)N[(1 + 5)N - 1] 



,2<5AT-2 



(1 _ S )N[(1 - 6)N - 1]A|} 



< -(1 - A 5 ) (1 - 5)iV - 2 (l - A D ) (1 " 5)JV {(1 + o)iV[(l + 5)N - 1)X 2 D 
-(1-S)N[(1-5)N-1)X 2 } 

= 1(1 - X S ) (1 ~ 8)N - 2 (1 - A D )( 1 ^ JV {[(1 + S)N - 1] 2 X 2 D + [(1 + 5)N - 1}X 2 L 



-[(1-5)N-1] 2 X 2 S -[(1-5)N-1]X 2 S } 
< 

In the last step, we made use of Condition 2a. □ 
Lemma 2 

02(71) is positive under Condition 2: 



A 5 (l + 5)N-2 



{l + S)N-2 
25N 



2SN 
(l-<S)AT-2 



(1 + S)N - 2 e 2 



X D (l-5)N-2 _ 
Proof: 

Expanding Eq. (IB 71) . note that 3 < 71 < (1 — 5)iV, we have 
a 2 {n)=P*Pf -P»P 2 S 



_(l-S)N-2 25N 



2[(l-(S)JV-2] 



(B13) 



Th J 2 



-P+^W-a^- 



(1 - S)N[(1 - S)N - 1] 



71 / 



A | (1 _ As) (.-«)»-2 



P4(i - a s) <-)-»(i - ^ K'-Wi[(HWi M _ Hn)] 



2-n\ 



(B14) 
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where 



bAn) 



b 2 (n) 



Ar 2 (l - *J>) 



n-2 



[(1 - S)N - n]\[(l + 8)N - 2]\ 
X n D 2 (l - \ s ) n - 2 



>0, 



> 0. 



[(l + 6)N-n]\[(l-6)N-2}\ 
To show that a 2 (n) > 0, we need to show that &i(n) > b 2 (n). Since they are both positive, 
we could try to show that biin) /b 2 {n) > 1- 



hjn) _ [(l + 5)N-n]\[(l-5)N -2]\ 
b 2 (n) ~ [(1 + 6)N - 2}\[(1 - 5)N - n}\ 



A s (l - A g ) 
X D (1-X S ) 



n-2 



n 

i=3 



(i _ ^)iv - z + 1 x s (i-x D y 

(l + S)N-i + l' A D (1- A s )_ 

1 X S (1-X D ) 



n 



Define the last term of the product as 

d(n) = Q-M 

1 ! (l + S)N-n + l X D (l-XsY 
which is a decreasing function of n. Note that d(n) is always positive. Due to the decreasing 
nature of d n on n, there exists a real number no satisfying the following criterium: for any 
n < n Q , d(n) > 1; for any n > n , d(n) > 1. We can easily see the following facts: 

1) If n < no, we know for sure that bi(n)/b 2 (n) > 1, which means a 2 (n) > 0. 

2) If n > no, bi(n)/b 2 (n) decreases as n increases. Since n < (1 — 5)iV, we have 



&i(n) 
6 2 (n) 



n 



i=3 

(1-5) AT 

a n 

i=3 



(l-^iV-z + l X s (l-Xp) 
_(l + 5)N-i + l' X D (1-X S ) 

(l-6)N-i + l X s (l-X D ) 
(l + 5)N-i + l' X D (1-X S ) 



[(1 - 6)N - 2]\(25N)\ 
[(l + 5)iV-2]! 



X s (l-X D ) 



X D (l - Ac 



(l-6)N-2 



f(i+e)N-2\ 

\ "2SN J 



X s (l-X D ) 
X D (1-X S )_ 



(l-S)N- 2 



Therefore a 2 (n) > under Condition 2b: 



A< 



A 



> 



D 



'(1 + 5)N -2\ (1-^-2 
25N ) 

Note that iV is usually very large, which means the evaluation of Condition 2b can be 
computationally challenging. To simplify this condition, we can make use of Stirling's ap- 
proximation 

) < n! < V2nn n+ ^ exp(— n H — — ), 

12n + 1 12n 



27rn n+ 2 exp(— n + 
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which can be simplified to be 



n n+2 e n < n\ < n" T2 e 



i -n+l 



(B15) 



With the help of Eq. (IB15p . we can derive a simpler and stronger version of Condition 2b: 
Condition 2: 



As (l + 6)N-2 Ml + 6)N- 2 
A^ > (l-6)N-2 [ 2SN 



2SN 



(l-S)N-2 



[l + 5)N-2 e 2 



_(l-S)N-2 25N_ 



2[(l-i5)JV-2] 



.□ 



Note that Condition 2 is also stronger than Condition 2a. Therefore Lemma 1 is also 
true under Condition 2. 
Lemma 2' 

Yln=p N a 2( n )Z2(n) > under Condition 2. 
Proof: 



From Eq. (IBlOp we can clearly see that Z^in) > 0. □ 
Lemma 3 



a-3 > 



25N(1 - Xd) 25 "- 1 ^ 
[(1-5)N+1]\ ' 



Proof: 

Expand Eq. ( 1B8I) . we have 

(1+8) n 

«3 = - E p%?L z M 

ra=(l-«5)JV+l 
(1+8)N 

>- E ^ 

n=(l-5)JV+l 



— /0JVr fl-W+l r 2 

( ;i-5)iv + ij^ (1 " Ad) ^ 



(l-<5)iV 



.■0 < Z,(n) < 1] 



o < p° < PR 



(1-8)N+1j 



-25N 



[ d-^+Di p-^-'fg n {Ki+^)iv-i]A D } 



> 



2<JJV(1 - Ad) 2 ^- 1 ^ 
[(l-5)iV+l]! ' 



□ 



(-.- [(l + S)N-i]X D <l) 



(B16) 



Note that |a 3 | is in the order of 0(4h). It is very close to 
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From Eqs. (1B4|) - (IB16I) we can conclude that 

Q D P 2 S - Q s Pf + a W + J2^P N a 2 {n)Z 2 {n) + a 3 



> 



QDpS _ QSpD + aQ Q 



— y 28N{l-\ D ) 2m - 1 pS 



[{l-S)N+l}\ 



under Condition 2: 



l + 5)N -2 



2SN 
(l-6)N-2 



Xs_ (l + 5)N-2 
X D > (1 -5)N-2 [ 25N 

Therefore the lower bound of Qf is given by 



Qf > P*Z X > PfZ x 



[l + S)N-2 e 2 



_(l-5)N- 2 25N 



2[(l-(S)JV-2] 



Q°Pi - QSP° + (PfP? - pd P S)qv - 



[(1-5)JV+1]! 



PfPl - PIP 

This completes our proof of Proposition 1. 



Qf 



APPENDIX C: ESTIMATE OF ef 

The derivation of the upper bound of ef is relatively simpler than that of the lower bound 
of Qf. Similar as Eq. (1B4|) we have 

(1+S)N oo 
m=(l-8)N n=0 

where e m ^ n is the error rate for signals with m input photons and n output photons. Rear- 
ranging terms, we have 



Qfef = E s .Q s -Q s e*-J2Q s n e s n 



n=2 

<E S -Q S - Q s e s 

(1+5)N 

= E s ■ Q s - Pin(m)P s (m)Y mfl e mfi 

m=(l-S)N 

(1+8) N 

<E S -Q s -Pl Pin(m)Y mfi e mfi 

m=(l-S)N 

= E S -Q s - P^E V ■ Q v . 



(CI) 
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The upper bound of ef is thus given by 



E s . qs _ P s E v .qV e s -Q s - P S E V ■ 
ef < -=^f= < 



Qf ~ Of 

This completes our proof of Proposition 2. 



APPENDIX D: THE ONE-DECOY PROTOCOL 

In one-decoy protocol, there is no vacuum state. Therefore we cannot measure or 
EY ■ If we still want to estimate Qf via Eq. (fl4j) and ef via Eq. (Tl6|) . we need to estimate 
Qv in Eq. (|14[) and E v ■ Q v in Eq. (TTT5T) in another way. 

To estimate Q v , we can look into Eq. (1C1I) : 



Pl_E v Q v < E S Q S - Qf ef < £ 5 Q 5 < £ 5 Q 5 . 
Therefore 



Q -i# ? = Ql '' (D1) 



where E S Q S can be estimated from Eqs. (j2J), -P(f can be estimated from Eqs. (HI), and 
= 0.5 in asymptotic case. 

Plugging Eq. fIDll) into Eq. (JHJ) , we have the expression of Qf with the one-decoy 
protocol: 



S^ gSQS _ 2flV(l-A c ) 2 " f - 1 .Ff 
5 s s ^ ^ ~ _J_)^W l(l-8)N+l}\ 



Q D Pj - Q S P 2 D + (Pi P 2 D - P D P L 

Qf > Qf = P;" 



PfPl - PIP? 

As for the estimate of E ■ Q v , we can simply use the following fact: E ■ Q v > 0. 



Therefore the expression of ef in one-decoy protocol is given by 



S ^-_ ES.QS 
e i — e i — n s 



This completes our proof of Proposition 3. 



